Computer Security Art and Science

This book provides a thorough and comprehensive introduction to computer security. It covers both the theoretical foundations and practical aspects of secure systems. The theory demonstrates what is possible; the practical shows what is feasible. The book also discusses policy, because policy ultimately defines what is and is not “secure.” Throughout, the well-known author reveals the multiplex interrelationships among the many subdisciplines of computer security, and provides numerous examples to illustrate the principles and techniques discussed. This long-awaited book has been thoroughly class-tested at both the advanced undergraduate level, with an emphasis on its more applied coverage, and at the introductory graduate level, where theory and practice are covered more equally.

"This is an excellent text that should be read by every computer security professional and student."

—Dick Kemmerer, University of California, Santa Barbara.

"This is the most complete book on information security theory, technology, and practice that I have encountered anywhere!"

This highly anticipated book fully introduces the theory and practice of computer security. It is both a comprehensive text, explaining the most fundamental and pervasive aspects of the field, and a detailed reference filled with valuable information for even the most seasoned practitioner. In this one extraordinary volume the author incorporates concepts from computer systems, networks, human factors, and cryptography. In doing so, he effectively demonstrates that computer security is an art as well as a science.

Computer Security: Art and Science includes detailed discussions on:

The nature and challenges of computer security

The relationship between policy and security

The role and application of cryptography

The mechanisms used to implement policies

Methodologies and technologies for assurance

Vulnerability analysis and intrusion detection

Computer Security discusses different policy models, and presents mechanisms that can be used to enforce these policies. It concludes with examples that show how to apply the principles discussed in earlier sections, beginning with networks and moving on to systems, users, and programs.

This important work is essential for anyone who needs to understand, implement, or maintain a secure network or computer system.

2. Access Control Matrix.Protection State. Access Control Matrix Model. Access Control by Boolean Expression Evaluation. Access Controlled by History. Protection State Transitions. Conditional Commands. Copying, Owning, and the Attenuation of Privilege. Copy Right. Own Right. Principle of Attenuation of Privilege.

13. Design Principles.Overview. Design Principles. Principle of Least Privilege. Principle of Fail-Safe Defaults. Principle of Economy of Mechanism. Principle of Complete Mediation. Principle of Open Design. Principle of Separation of Privilege. Principle of Least Common Mechanism. Principle of Psychological Acceptability.

14. Representing Identity.What Is Identity? Files and Objects. Users. Groups and Roles. Naming and Certificates. Conflicts. The Meaning of the Identity. Trust. Identity on the Web. Host Identity. State and Cookies. Anonymity on the Web.

18. Introduction to Assurance.Assurance and Trust. The Need for Assurance. The Role of Requirements in Assurance. Assurance Throughout the Life Cycle. Building Secure and Trusted Systems. Life Cycle. The Waterfall Life Cycle Model. Other Models of Software Development.

19. Building Systems with Assurance.Assurance in Requirements Definition and Analysis. Threats and Security Objectives. Architectural Considerations. Policy Definition and Requirements Specification. Justifying Requirements. Assurance During System and Software Design. Design Techniques That Support Assurance. Design Document Contents. Building Documentation and Specifications. Justifying That Design Meets Requirements. Assurance in Implementation and Integration. Implementation Considerations That Support Assurance. Assurance Through Implementation Management. Justifying That the Implementation Meets the Design. Assurance During Operation and Maintenance.

27. System Security.Introduction. Policy. The Web Server System in the DMZ. The Development System. Comparison. Conclusion. Networks. The Web Server System in the DMZ. The Development System. Comparison. Users. The Web Server System in the DMZ. The Development System. Comparison. Authentication. The Web Server System in the DMZ. Development Network System. Comparison. Processes. The Web Server System in the DMZ. The Development System. Comparison. Files. The Web Server System in the DMZ. The Development System. Comparison. Retrospective. The Web Server System in the DMZ. The Development System.